Amazon DynamoDB is a fully managed, nonrelational database that delivers reliable performance at any scale. Because of the flexible DynamoDB data model, enterprise-ready features, and industry-leading service level agreement, customers are increasingly moving to DynamoDB sensitive workloads such as financial and healthcare data, whose compliance regulations mandate data encryption.

DynamoDB has encrypted all existing tables that were previously unencrypted by using a default AWS owned customer master key (CMK). When creating a new table, you can now use either the default AWS owned CMK or an AWS managed CMK.

Encryption at rest greatly reduces the operational burden and complexity involved in protecting sensitive data. DynamoDB encrypts data using industry-standard AES-256 algorithms, which ensure that only authorized roles and services can access sensitive data with access to the encryption keys audited by AWS CloudTrail. With encryption at rest, you can build security-sensitive applications that require strict encryption compliance and regulatory requirements.

You do not have to make any code or application modifications to encrypt your data. Encryption at rest using the AWS owned CMK is provided at no additional charge. DynamoDB handles the encryption and decryption of your data transparently and continues to deliver the same single-digit millisecond latency that you have come to expect.